Inheritable Smart Contract Wallet

First Flight #35

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

The Inheritable Smart Contract Wallet project

favoritekd

Summary

The Inheritable Smart Contract Wallet is intended to provide a time-locked inheritance management system where assets are distributed to designated beneficiaries after a period of wallet inactivity (standard: 90 days). The contract also supports minting NFTs representing real-life assets for on-chain settlements. However, a critical vulnerability related to external contract interaction via call{}() has been identified, which may allow unauthorized access to funds through reentrancy attacks.

Vulnerability Details

The contract allows external contract interaction via call{}(), which is noted as potentially dangerous despite having reentrancy guards. The current implementation of these guards is insufficient under specific conditions, making the contract vulnerable to reentrancy attacks.

Exploit Scenario:

An attacker deploys a malicious contract that triggers the call{}() function in a recursive manner.
Improper handling of state updates before external calls allows the attacker to re-enter the contract’s functions, bypassing the intended reentrancy protection.
Unauthorized access to funds can occur before or during the inheritance process.

Proof of Concept (PoC):

Deploy a malicious contract designed to exploit the external call mechanism.
Trigger the recursive calls during inheritance processing or fund withdrawal by beneficiaries.
Observe how the intended state is altered, leading to unauthorized access to funds.

Impact

This vulnerability has a high impact, potentially leading to:

Unauthorized access to inheritance funds.
Manipulation of the inheritance process.
Complete drainage of the contract’s funds via recursive calls.

Tools Used

Manual Code Review
Remix IDE for Simulation
Foundry & Hardhat Testing Environment

Recommendations

Review and Strengthen Reentrancy Guards: Ensure state-changing operations are completed before external calls.
Implement Pull-Payment Pattern: Replace direct calls with a pull-payment mechanism to reduce reentrancy risks.
External Contract Validation: Introduce stricter validation mechanisms for external contract interactions.

Thank you for your consideration.

Updates

Lead Judging Commences

0xtimefliez Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Too generic

Rewards breakdown

nSLOC

211

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.